Security Think Tank: How should UK businesses prepare for EU data protection rules?


Security Think Tank: How should UK businesses prepare for EU data protection rules?

The European General Data Protection Regulation represents the most significant change to data protection in the UK and EU since 1995. Once adopted, it will have the force of law across all 27 EU states, giving uniformity of data protection laws across all member states and significantly increasing penalties for non-compliance. The ISF, working with its members, has identified the top five actions to take.

1 - Get your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time.

2 - Form a governance group that oversees all your privacy activities, led by a senior manager or executive. If you have over 250 employees, appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s annual report. 

3 - Implement a breach notification process and enhance your incident management processes and your detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place; or the likelihood of harm is low.

4 - Prepare your organisation to fulfil the "right to be forgotten", "right to erasure" and the "right to data portability". A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, call centres and paper.

5 - Create and enforce privacy throughout your systems' lifecycles to meet the "privacy by design" requirement, whether you buy or develop. This will ensure privacy controls are stronger, simpler to implement, harder to by-pass and totally embedded in a system’s core functionality.

Adrian Davis is a principal analyst at the Information Security Forum (ISF)

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in March 2012


COMMENTS powered by Disqus  //  Commenting policy